VW breach exposes location of 800k electric vehicles

Original Article ↗ Hacker News Discussion ↗

Legal and regulatory implications

  • Many expect serious GDPR consequences, given sensitive, long-term location tracking of ~800k cars.
  • Others think VW is “too big to fail” in the EU and will get a fine and some resignations, but no existential threat.
  • Debate over liability: some argue Cariad (VW’s software arm) is at fault; others note under GDPR the carmaker as data controller remains jointly liable.
  • Some call for strict per-person compensation (e.g., €/$100+ per affected user) and even corporate “death penalty” (charter revocation) for repeat abuses.
  • Question raised whether EU treats US tech more harshly than EU carmakers; countered with examples of large fines and data showing broad enforcement.

Why VW had the data & consent problems

  • Telemetry used for apps (remote preheating, finding car, anti-theft, service tracking), speed-limit display, and forthcoming “intelligent speed assistance.”
  • Critics argue there is no legitimate need for storing personally identifiable, precise location history centrally.
  • “Consent” is often bundled into vehicle/app activation; some note UX that nags until users accept T&Cs, likened to cookie banners.
  • Some owners report opt-out or “offline profiles,” but trust that disabling actually stops collection is low.

Security, audits, and platform issues

  • Breach reportedly tied to VW’s software platform (MEB/Cariad), affecting mostly EVs but also some ICE/hybrids sharing the same stack.
  • CCC talk (in German/English) is cited as primary technical source; notes exposed VINs, locations, and linked owner data.
  • Skepticism about ISO/TÜV certifications: audits seen as “paper theater” that don’t prevent major security failures.

Telemetry, surveillance, and control

  • Strong concern about abuse scenarios: blackmail using location patterns, government or corporate overreach, potential future geofencing (e.g., protests).
  • Some defend aggregated, privacy-preserving metrics as essential for debugging complex systems; others argue testing and non-identifiable data are enough.
  • Technical proposals include end-to-end–encrypted location (manufacturer can’t read it), hardware ability to remove/disable modems, or legally mandated opt-out/opt-in defaults.

User reactions and coping strategies

  • Many vow to keep or buy older, “dumb” cars; others note modern vehicles are much safer and harder to avoid connectivity (eCall mandates, hidden modems).
  • Practical hacks discussed: pulling fuses, removing SIMs, or shunting antennas—though this may also disable useful features (emergency calling, Bluetooth mic, remote HVAC).